Password change on basic security certs

[Michael Hertel]

We have a policy that users need to change their passwords every 90 days on all systems.

We are implementing basic security on our latest Cloverleaf install.

It appears the only way to change passwords on the certificates is for an administrator to do it through hcicertmgr.

How do you change the passwords at your site? Do you issue new passwords? Do you bring up the gui and let the users change it while you turn your back and are not looking? Or am I all wrong and there is another way that the users can do it themselves without my involvement?

Thank you in advance.

Topic

[Rob Lindsey]

We have basic security setup here at our shop and have tied the IDE and Global Monitor to the users Active Directory password.  This way our admins do not have to do anything.

Hopefully this helps you out in the long run.

Rob

[Michael Hertel]

Thanks for the idea.

That probably is the way to go.

But that means I’ll have another friendly department to …work… with.  😈

[Peter Heggie]

We have tied our Global Monitor to Active Directory, but how do we tie our IDE security to Active Directory? We just upgraded to Basic Security. We are on AIX. I don’t even know how to change a password on a user certificate without creating a new one..?

Peter Heggie

[bill bearden]

We are on Global Monitor 6.1.1 and we have had AD security on it for quite a while. I don’t remember what version or when we turned it on.

We are on Cloverleaf 6.2.0.1 and we are testing Basic security/AD security. Our current impression is positive. I thought it might be more annoying but it doesn’t ask us for our passwords all the time.

I don’t know when the AD feature was added to the IDE but I think it was pretty recent. There is an LDAP tab in Server Administrator. The form is basically the same as the one in Server Administrator for Global Monitor.

[Peter Heggie]

Is your Cloverleaf installation on AIX?

I think we have to use an Xterm tool to run these functions.

How did you tie your Cloverleaf 6.2 Basic Security to use AD? Once you did that, you no longer had to change passwords in Cloverleaf?

Peter Heggie

[Keith McLeod]

Serveradmin has an LDAP section you will need to work with an AD person.

[Peter Heggie]

yes thank you – we will try this.

Peter Heggie

[Peter Heggie]

Before I start changing things I want to make sure this applies to AIX servers. We have basic security enabled, but not advanced security. So I’m wondering how Cloverleaf on AIX communicates to Active Directory without advanced security.

We do have Global Monitor and it uses Active Directory, but it is Windows-based software, so its much easier to connect to Active Directory, Windows to Windows.

Peter Heggie

[Keith McLeod]

I used on both Linux and AIX.

[Peter Heggie]

Using hciserveradmin, I updated the LDAP parameters to be the same as what we have for Global Monitor. I clicked on the Test button to ensure that the link to Active Directory is working – and it worked.

After saving the new configuration and bouncing the host server, I can no longer login via the GUI – I get an Error invalidCredentials – Error 49.

Do the user certificates stored on the individuals workstation have to match the AD userid?

Because AIX has a length limit on userids, and our corporate AD userids are our full names, we had to use shortened userids in AIX. If we have to have certificates on our workstations that match both our AIX userids and our AD userids, it will not work.

Did I miss a step?

Peter Heggie

[Peter Heggie]

I spoke too soon. Even though the logon screen automatically changed the name of the security certificate to match the new, longer AD userid, it apparently is then ignored and the AD security was used to logon. And so far, so good!

Peter Heggie

[Peter Heggie]

LDAP security is working well. We enabled it in our test environment (6.2.2), and when we open our prod environment using our mobile client for 6.2.0.2, it prompts us for our LDAP userid password, which will not work (because we have not modified Prod yet) and we have to change the name to our UNIX userid and use that ID’s password. Which is fine, and is not too annoying. When we change Prod to use LDAP, this behavior should go away.

Peter Heggie

[Keith McLeod]

Glad to hear things are working.  Generally the AIX userid has no bearing on the LDAP authentication.  Unless they fixed it, one concern is that capitalization can cause differences.  In particular on Global Monitor, Keith is not the same as keith, yet both will validate correctly against AD. Not sure this was a problem in Cloverleaf itself, but definitely was in GM.

I have users that don’t have an AIX account, but can authenticate using basic security and LDAP.

Was hoping I could have them do most of the backend in the remote commands, however, some things are tougher in the remote commands window.  Still not sure if I can pipe between commands and such…

[Peter Heggie]

Right – we just decided initially, when enabling Basic Security (without LDAP), that we would disable logons for user ‘hci’ and create new accounts for our team, and then su to ‘hci’ from those new accounts.

When we enabled Basic Security, we created userids & certificates based on the same name as the new AIX userids, although we probably could have called them anything.

Yes we have the same issue with Global Monitor with userid case. We will start playing with the new Global Monitor next week. There are several improvements to LDAP and AD processing and I hope this issue is addressed as well.

Peter Heggie

[Peter Heggie]

We did enable LDAP in production last week and it is working great. Now we can just use our AD accounts to login automatically (although occasionally the cached credentials are flushed according to some internal timer in Cloverleaf and we have to re-enter them – not a big deal).

Still trying to get the new Global Monitor to work. It cannot connect to Cloverleaf when LDAP is enabled. Yes we excluded the ‘administrator’ account. Not exactly sure what credentials are being asserted but that is where the error is. Working with support.

Peter Heggie

[Author]

Replies